3 UX Mistakes That Make Sites More Hackable

Drew Davidson of ÄKTA points out simple design improvements companies can make to prevent security mishaps.

Do you know that the URL bar in your browser is a potential security hole? I didn't either. I barely look at the thing unless I'm punching in a search term. But according to Drew Davidson, vice president of design at ÄKTA, that thin strip of UI chrome is a little keyhole that a hacker can use to infiltrate a company's website.

As Charles Eames famously said, "the details are not the details. They make the design." Here are three subtle mistakes your company might be making in user-experience design that open you up to a breach.

1. The security features of your UI are a pain in the ass.

Wait a minute—aren't fancy security measures like two-step verification all the rage now? (Just ask Google and Dropbox.) The counterintuitive truth, says Davidson, is that the trickier you make your site's interface—even for a good cause, like protecting the user's data—the more likely your user is to actively undermine it.

"Security policies that introduce too many steps are not effective," Davidson explains, "because people will tend to do something imprudent—like setting a basic password—in order to make navigating the UI easier."

Davidson cites a file-storage company (which he can't name) as an example: "There’s literally 25 steps to go through before you can create an account." This might make some sense if the company's customers were only uploading sensitive information like medical records or social security numbers. But in reality, most of the users are just "using the software for Dropbox-like functionality, like storing resumes and photos," Davidson says. The inappropriately Fort Knox-like UI design backfires as users cope by making their own data even less secure. It's lose-lose.Fort Knox-like UI design backfires as users cope by making their own data even less secure.

2. Your user interface is full of peepholes into your backend systems.

Here's where that URL bar can become a problem. "When you’re in a checkout process, many sites use different vendors to power that process," Davidson says. "You can see the URL changing as you click through the checkout, and it can tell a hacker exactly which systems you're using for which parts of your process, so they can infiltrate it that way."

Vendor names, software libraries, and even file and folder structures can be left hanging out in the open accidentally. Davidson says that this was how Edward Snowden got his hands on NSA files he wasn't supposed to be able to access. The NSA's software interface showed him exactly where to look for sensitive materials, even though he didn't have access to actually open them. Armed with that information, Snowden was able to use the command line as a "back door." The UI design technically prevented him from walking in the front door, but certainly helped him case the joint.

3. No one at your company really knows how to use your backend software.

Why is it that Medium, Instagram, and Tumblr can make complicated functionality feel effortless, but most enterprise software makes even the simplest manipulations feel like torture? Davidson says that the simplest thing a company can do to make its software secure is to ensure that its employees know how to use it.

"Things like the role of administrators, making sure there’s a permissions system in place that is robust and alerts you when someone’s doing something they’re not supposed to be doing—almost all of these systems are extremely clunky and hard to use," Davidson says. "It’s not clear who has access to what, and when, and for how long. It’s totally a UI problem: all the security engineering in the world isn’t going to prevent someone from checking the wrong box if it's not clear to them what they're doing."Security is a people problem, not just a technical one.

Implementing these changes might be easier said than done, but they acknowledge that security is a "people problem," not just a technical one. Designing tools that let the people we trust with our data actually do their jobs—and don't compel us to do them poorly ourselves—should be the starting point, not an afterthought. If a hacker wants in, he or she will almost surely find a way. But we don't have to invite him in.

Add New Comment

9Comments

As is often the case, the cash is spent on the technical/physical side and designing form layout, structure is totally ignored & then the people using the system are blamed for not understanding it. Its the same reason why, for years and years, if people wanted to tape something off the tv to their vcr, they had to type out a very long number and hope for the best that it would all work. The technical side was covered but the design/UX of the process to use the feature was broken. I'm sure we will look back in a few years at all these passwords and see them as stupid as having to type in a long code to record a tv programme

My last pay check w9500 working 12 hours a week online. My neighbour's sister has been averaging 15k for months now and she works about 20 hours a week. I can't believe how easy it was once I tried it out,,,
COPY THIS LINK IN YOUR BROWSER.....

My last pay check w9500 working 12 hours a week online. My neighbour's sister has been averaging 15k for months now and she works about 20 hours a week. I can't believe how easy it was once I tried it out,,,
COPY THIS LINK IN YOUR BROWSER.....

Thanks for your comment. Unfortunately, these issues are present in far too many websites and applications. Few companies understand the importance of a good user experience, and the problems get even worse when security is involved.

The issue in #2 is not isolated to technology, because often times the user is thrown from one system to another when a vendor is involved. This creates an inconsistent and confusing experience for the user, while exposing back-end vendor names to would-be hackers.

The issue in #3 is that setting up and administering a solid permissions systems is a large technical task, and the user experience is often overlooked. The technology for great permissions systems is there, but what is missing is a great interface for keeping it secure. It often is as simple as someone not understanding if they should check a particular box labeled "Administrator" when setting up a new user in the system, and that is a design problem that technology cannot fix.